The phone drops to No Service and keeps doing it.
Wi‑Fi still works, so it is tempting to shrug and blame the carrier. But this is one of those moments where being calm can cost money.
Because “No Service” is also what it looks like when someone has just moved your phone number onto their SIM card.
That single change can turn a phone number into a crowbar. Not because the SIM is magic, but because too many services treat a phone number like proof of identity.
SIM swap attacks keep working for the same reason cheap locks keep getting picked. The lock was never designed to protect a vault.
SIM Swap Attack Basics
A SIM is a small chip that tells a mobile network who you are.
Inside the carrier’s systems, two identifiers matter:
- MSISDN: your phone number
- IMSI: the identity tied to the SIM card on the network
A SIM swap happens when the carrier links your MSISDN to a new IMSI. In plain terms, your number starts ringing and receiving texts on someone else’s device.
There is a close cousin called port‑out fraud. That is when the attacker ports the number to a new carrier using local number portability rules. The result is the same: the attacker controls where calls and texts go. The FCC describes both SIM swap fraud and port‑out fraud as impersonation that lets a bad actor receive texts and calls meant for the real customer.
The key point is this: the attacker does not need to break encryption or hack a bank. They aim for the easiest system that sits upstream of everything else, which is often the phone carrier’s support process.
SIM Swap Attack Workflow
Most SIM swaps follow a predictable flow. The details change, but the shape stays the same.
- Recon and data collection
Attackers gather personal details that help them pass identity checks. This can come from old breaches, data brokers, social media, or just patient searching. If a support desk still uses “knowledge checks” like address, date of birth, or last bill amount, that data can often be found or guessed. - The number takeover request
The attacker contacts the carrier and requests a SIM change or port. Sometimes it is a phone call. Sometimes it is an in‑store visit. Sometimes it is an employee doing it from the inside. - The swap execution
Once approved, the carrier’s systems link the number to the attacker’s SIM. Your phone loses service immediately. - Downstream account takeover
The attacker triggers password resets on email, banking, crypto exchanges, and social apps. If those services send one‑time codes by SMS, the attacker receives them.
The scary part is speed. Once the number moves, the attacker can automate the rest. Password reset flows were built to be fast and “helpful.” Attackers love helpful.
SMS MFA Security Failure
SMS based two‑factor authentication feels like security because it adds a second step. The problem is that the second step is anchored to a phone number, and a phone number is not a secure object.
NIST now calls the public phone network used for out‑of‑band authentication a restricted authenticator in its updated digital identity guidelines, meaning it is allowed only with extra risk controls and should not be treated as a modern best practice.
CISA and partners also published mobile communications guidance that plainly recommends avoiding SMS as a second factor and suggests adding protections like a carrier account PIN and carrier account MFA to reduce SIM swap risk.
Two practical reasons explain why SMS collapses in real incidents:
- Carriers route messages, they do not prove identity
The carrier will deliver your SMS codes to whoever the carrier believes currently owns that number. A SIM swap changes that belief. - Recovery flows treat the phone number as a master key
Many “forgot password” systems assume that if someone can receive texts at a number, they must be the account owner. That assumption is exactly what SIM swapping breaks.
This is why SIM swap case studies look so dramatic. The attacker does not need to defeat MFA. They just redirect where MFA goes.
Jack Dorsey SIM Swap Attack
In August 2019, Twitter CEO Jack Dorsey’s account was hijacked for about 20 minutes and used to post offensive content. WIRED reported the attack appeared to involve a SIM swap and was claimed by a group known as Chuckling Squad.
What made this case important was not just who it hit. It was how the attacker posted tweets without needing the normal login path.
What Went Wrong
- Carrier level identity checks failed
A SIM swap requires a carrier to approve a number move. If that approval can be tricked, rushed, or overridden, the attacker owns the number. The public reporting on the incident points to a SIM swap as the entry point. - A legacy Twitter SMS feature became a backdoor
WIRED noted the tweets appeared to be sent via Cloudhopper, the SMS service Twitter acquired in 2010, which supported tweeting by SMS.
That meant the attacker did not need Dorsey’s Twitter password. They needed control of the phone number, then they could send texts that Twitter treated as authorized posts.
Twitter temporarily disabled tweeting via SMS after the incident.
The lesson
A platform can have strong modern security on its main login, then quietly keep one older feature that trusts phone numbers too much. Attackers search for that older feature because it is usually the shortest path.
This is not just a Twitter problem. It is a general product problem. Any system that has “email us to do X” or “text a code to do Y” is a system with an extra identity pathway. If that pathway is weaker than the main login, it will be targeted.
Michael Terpin SIM Swap Lawsuit
Michael Terpin’s case shows how SIM swapping turns into large financial loss, and how the root cause can be a person with privileged access.
A Ninth Circuit decision from September 30, 2024 describes Terpin’s claim that hackers gained control of his number through a fraudulent SIM swap, intercepted password reset messages, and stole $24 million in cryptocurrency.
What Went Wrong
“Extra security” did not survive insider access
Terpin had previously experienced SIM swap fraud and said he arranged extra security with AT&T. The court opinion describes his allegation that security measures were bypassed anyway.
The bigger failure is structural: if an employee can override protections, then protections are only as strong as employee behavior and internal controls.
Authorized retailer access created a low oversight high power target
In the Ninth Circuit summary, Terpin alleged that an AT&T authorized retailer employee was bribed to bypass security measures and complete the SIM swap.
That matters because authorized retailers can have serious account management access, but the oversight model is not always as tight as a corporate security operation. Attackers do not need a sophisticated exploit if they can pay for a shortcut.
Account takeover pivoted through password reset messages
The court described a familiar chain: once the attackers controlled the number, they received password reset messages for Terpin’s online accounts.
The exact downstream steps vary by victim. The pattern is consistent: number control enables resets, resets enable email or cloud access, and email or cloud access enables the rest.
The legal angle that changed the conversation
A major point in the Ninth Circuit ruling was the claim under Section 222 of the Federal Communications Act, which is about protecting customer proprietary network information. The court revived that claim in part, treating the SIM swap as potentially allowing improper access to protected information.
That is not just courtroom trivia. It signals that carriers may face stronger legal pressure when number control failures lead to harm, even when contracts try to limit liability.
Seth Shapiro SIM Swap Lawsuit
Seth Shapiro’s story is another example of SIM swaps targeting cryptocurrency accounts, and it highlights something many people underestimate: repeat attacks.
ABC News reported that Shapiro sued AT&T alleging hackers took over his number and stole more than $1.8 million through SIM swap attacks in May 2018.
What Went Wrong
- The victim can be “present” and still powerless
SIM swaps move faster than human response channels. By the time someone reaches a store or support line, password resets may already be in progress. - Support promises can be vague or inconsistent
Shapiro’s reporting describes confusion around protections that were expected to exist. This kind of mismatch matters because attackers only need one weak channel. Even if one support agent follows a strict rule, a different channel may not. - Crypto exchange recovery flows magnified the damage
Many exchange accounts historically relied on SMS codes or phone number based recovery. Once an attacker controls the number, resets become much easier. Ars Technica’s coverage of the lawsuit also quotes the complaint describing more than $1.8 million stolen in consecutive SIM swap attacks.
The hard truth is that crypto theft is often an identity recovery problem, not a blockchain problem. The blockchain transfer may be irreversible, but the entry point is often a normal password reset flow.
Lapsus$ Enterprise SIM Swap Tactics
SIM swapping is often framed as “criminals stealing money from individuals.” Lapsus$ showed how the same basic trick can be used as an enterprise intrusion tool.
A U.S. Cyber Safety Review Board report on the Lapsus$ incidents describes a pattern of relying on social engineering and simple techniques to gain access, rather than advanced vulnerabilities.
What Went Wrong At T‑Mobile
Reporting based on leaked Lapsus$ chats described the group gaining access to over 30,000 source code repositories and reaching internal tools such as Atlas, a customer account management tool.
The bigger point is leverage. When attackers gain access to internal carrier tooling, they can potentially perform actions that a normal customer service path would block or at least slow down.
Even if Atlas was not used for every SIM swap, the existence of internal tools that can manage customer accounts becomes an obvious target once attackers get inside.
What Went Wrong With Insider recruitment economics
The Lapsus$ era made one idea painfully clear: insider access is a market.
Attackers do not need to guess passwords when they can buy credentials, buy session access, or pay someone to click the right button. When the payout from a successful compromise is high, bribery becomes cheap in comparison.
Okta Support Vendor Breach
Okta’s incident linked to Lapsus$ style activity is a clean example of a supply chain weakness.
Okta stated that screenshots were taken from a computer used by a third‑party customer support engineer, and later updates discussed a window where an attacker had access to that support engineer’s laptop.
This matters because customer support engineers can have tooling that allows password resets or MFA factor changes for customers. Okta noted that this type of access could allow actions that affect customer accounts.
The SIM swap connection here is not always direct, but the logic is the same:
- compromise a person or their device,
- get into a privileged support tool,
- reset identity factors,
- move laterally.
The “person layer” is still the entry point, just inside a different organization.
MGM Resorts Help Desk Breach
The MGM incident is a lesson in how identity attacks evolve when carriers add more safeguards. Attackers move up the stack.
Bloomberg reported that MGM’s attackers broke in after tricking the IT service desk, which points to help desk social engineering as the initial access method.
MGM later filed an 8‑K stating the company estimated a negative impact of approximately $100 million related to the September cybersecurity issue.
What Went Wrong
- Help desk identity proofing relied on knowledge checks
If a help desk verifies identity using employee ID, date of birth, or other static details, that is a weak barrier in 2026. Too much personal data is already exposed. - MFA reset workflows were treated like normal support tasks
This is the enterprise version of a SIM swap. Instead of moving a phone number, the attacker convinces support to enroll a new MFA device or reset an MFA factor. Once that happens, the attacker is “the second factor.” - MFA fatigue tactics filled the gaps
The CISA advisory on Scattered Spider describes techniques like social engineering against IT help desks and notes that phishing resistant MFA methods are not susceptible to SIM swap and push bombing tactics that the group is known to use.
When an organization relies on push approvals without strong user verification, attackers can spam prompts until someone approves, or they can call pretending to be IT and talk the user into approving.
Caesars Ransom After Help Desk Compromise
Caesars was hit around the same period. The public reporting widely described Caesars paying about $15 million to attackers, though exact numbers are often sourced to people familiar with the matter rather than a full public breakdown. The Associated Press reported Caesars paid a $15 million ransom.
The “what went wrong” story looks similar to MGM in the most important way: social engineering and identity workflow abuse sat at the center of it.
The reason Caesars vs. MGM gets compared so often is not just ransom decisions. It is that both incidents show how an organization can spend heavily on security tools, then lose the fight at the support layer.
SIM Swap Attack Root Causes
Across these case studies, the names change, the industries change, and the targets change. The failure modes are almost boringly consistent.
Carrier customer authentication gaps
Carriers still have customer service channels that are built for speed and customer happiness. That is not evil. It is just a reality that clashes with modern identity threats.
If authentication can be bypassed with partial personal data, or if a support agent can be pressured into skipping steps, SIM swaps will keep happening.
The FCC’s SIM swap and port‑out fraud rules exist because inconsistent carrier practices left customers exposed, and the Commission aimed to set baseline protections across providers.
Authorized retailer privilege without matching oversight
Terpin’s allegations highlight how an authorized retailer employee with access can defeat customer facing protections.
This is a business model issue as much as a security issue. When thousands of retail endpoints can change number bindings, the attack surface becomes huge. If internal monitoring is weak, small bribery attempts can scale.
Account recovery flows that override strong login security
Dorsey’s case shows a legacy feature that bypassed the main login path.
Terpin and Shapiro show how password reset messages and recovery flows can become the fastest route to full compromise.
If recovery is easier than login, attackers will attack recovery.
Enterprise help desk workflows that can reissue MFA
MGM shows the modern enterprise pattern: attackers target help desks to reset identity factors.
This is why “we have MFA” is not the end of the discussion. The real question is “how hard is it to reset MFA.”
SIM Swap Defense Without SMS
The goal is not perfection. The goal is reducing the chance that a phone number takeover becomes a full identity takeover.
Carrier account locks and port protections
Carriers are being pushed to offer account locks and better customer notifications. The FCC rules include requirements around customer notifications for SIM change and port‑out requests and require providers to offer account locks that block SIM changes and number ports.
AT&T launched Wireless Account Lock as a feature that can block SIM swaps and number transfers, controlled through the myAT&T app.
These locks do not solve every insider threat, but they raise the bar for many common attacks, especially the quick social engineering calls.
Phishing resistant MFA and passkeys
If SMS is the weak link, the real fix is moving the second factor away from phone numbers.
Phishing resistant MFA usually means FIDO2, WebAuthn, hardware security keys, or passkeys. These methods rely on cryptography tied to a device, not a text message that can be rerouted.
The CISA Scattered Spider advisory specifically recommends phishing resistant MFA because it is not susceptible to SIM swap attacks and push bombing.
Number matching for push prompts
Push based MFA can be abused through fatigue. Number matching helps by forcing a user to type a number shown on the login screen into the authenticator prompt, instead of blindly approving. Microsoft documentation describes number matching as a key security upgrade for push notifications.
This does not stop SIM swaps directly, but it reduces one of the most common “talk someone into approving” tactics.
Reduce phone numbers in recovery paths
Even with strong MFA, an account can still fall through the recovery door.
A strong recovery strategy looks like this:
- Recovery codes stored offline
- Multiple recovery options that do not depend on a single phone number
- A hard rule that changing recovery factors requires stronger proof than logging in
This is where many organizations and individuals still get hurt. They upgrade login security, but leave recovery stuck in 2015.
A visible industry shift away from SMS
Some large platforms are trying to reduce reliance on SMS in specific flows. For example, The Verge reported Google planned to replace SMS authentication for Gmail with QR codes in part to reduce abuse and improve security.
This is not a universal change yet, but it reflects a clear direction: phone numbers are being treated as less trustworthy over time.
Conclusion
SIM swap case studies are often told like crime stories. The more useful way to read them is as design reviews.
Each incident is the same design flaw wearing a different costume:
- a carrier support workflow that can be socially engineered,
- a retail employee with the power to move identities,
- a legacy SMS feature that should have been retired,
- a help desk that can reissue MFA on a phone call,
- a recovery system that trusts phone numbers as if they are private keys.
A phone number is not a private key. It is a routing label.
Once that idea lands, the rest becomes more obvious. “No Service” stops being a minor inconvenience and starts looking like what it often is in these stories: the first warning that identity just moved somewhere else.
